Tampering detection device, tampering detection method and program

ABSTRACT

The present invention can be efficiently applied to secure computation and can achieve a low probability of successful tampering. A tampering detection device includes a parameter storage storing parameters α ijk  for uniformly mapping from two elements of a ring R q  to one element of the ring R q , a division part  12  dividing N values a 0 , . . . , a N−1  into sets of q values to generate value vectors A 0 , . . . , A ρ−1 , a generation part  14  generating a checksum c, and a verification part  15  comparing a verification value generated by using the value vectors A 0 , . . . , A ρ−1  with the checksum c to determine whether or not any of the values a 0 , . . . , a N−1  has been tampered with. Here, N and q are integers greater than or equal to 2 and ρ is a minimum integer greater than or equal to N/q.

TECHNICAL FIELD

The present invention relates to a tampering detection technique fordetecting data tampering in secure computation in which data processingis performed while concealing data.

BACKGROUND ART

An existing checksum technique used for tampering detection is the onedescribed in Non-patent literature 1. The checksum technique describedin Non-patent literature 1 includes addition and multiplication and canbe efficiently applied to secure computation.

The checksum technique described in Non-patent literature 1 uses randomnumbers r∈F to generate a check sum c of values a₀, . . . , a_(N−1)∈Faccording to Formula 1 given below, where F is a field.

$\begin{matrix}{c:={\sum\limits_{0 \leq i < N}{a_{i}r^{i + 1}}}} & \lbrack {{Formula}\mspace{14mu} 1} \rbrack\end{matrix}$

In Non-patent literature 1, the checksum c is verified according toFormula 2 given below.

$\begin{matrix}{{\sum\limits_{0 \leq i < N}{a_{i}r^{i + 1}}} - c} & \lbrack {{Formula}\mspace{14mu} 2} \rbrack\end{matrix}$

If Formula 2 yields 0, then it is determined that none of the values a₀,. . . , a_(N−1) have been tampered with. If Formula 2 yields a valueother than 0, it is determined that at least one of the values a₀, . . ., a_(N−1) has been tampered with.

PRIOR ART LITERATURE Non-Patent Literature

Non-patent literature 1: S. Obana and T. Araki, “Almost optimum secretsharing schemes secure against cheating for arbitrary secretdistribution”, ASIACRYPT, Vol. 4284 of Lecture Notes in ComputerScience, pp. 364-379, 2006.

SUMMARY OF THE INVENTION Problem to be Solved by the Invention

In the tampering detection technique described in Non-patent literature1, the probability of successful tampering is N/|F| when the field F ispredetermined. Here, N represents the number of pieces of data for whichthe checksum is generated and |*| represents the number of the elementsof *. Thus, since the probability of successful tampering isproportional to the number N of pieces of data, the probability ofsuccessful tampering increases as the number of pieces of data for whicha checksum is generated increases.

An object of the present invention is to provide a tampering detectiontechnique that can be efficiently applied to secure computation and canachieve a lower probability of successful tampering.

Means to Solve the Problem

To solve the problem described above, a tampering detection device ofthe present invention includes: a parameter storage storing a parameterα_(ijk) for uniformly mapping from a ring R to a ring R^(q), where i=0,. . . , q−1, j=0, . . . , q−1, and k=0, . . . , q−1; a division partdividing N values a₀, . . . , a_(N−1) into sets of q values, startingfrom the first value, to generate value vectors A₀, . . . , A_(ρ−1); ageneration part using the value vectors A₀, . . . , A_(ρ−1) to generatea checksum c including addition and multiplication, where vectormultiplication is a function f defined by the formula given below; averification part comparing a verification value with the check sum c todetermine whether or not any of the values a₀, . . . , a_(N−1) has beentampered with, the verification value being generated using vectormultiplication which is the function f; where N and q are integersgreater than or equal to 2 and ρ is a minimum integer greater than orequal to N/q.

$\begin{matrix}{{{f( {\overset{arrow}{x},\overset{arrow}{y}} )}:={\sum\limits_{j,{k < q}}{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{\sum\limits_{j,{k < q}}{\alpha_{{q - 1},j,k}x_{j}y_{k}}}} & \lbrack {{Formula}\mspace{14mu} 3} \rbrack\end{matrix}$

Effects of the Invention

The tampering detection technique of the present invention can beefficiently applied to secure computation and can achieve a lowerprobability of successful tampering.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a functional configuration of atampering detection device;

FIG. 2 is a diagram illustrating a process flow for generating achecksum; and

FIG. 3 is a diagram illustrating a process flow for checksumverification.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the present invention will be described below in detail.Like components are given like reference numerals throughout thedrawings and repeated description of those components will be omitted.

[First Embodiment]

A first embodiment of the present invention is an embodiment in whichthe present invention is applied to a checksum technique includingaddition and multiplication described in Non-patent literature 1.

<Configuration>

An exemplary configuration of a tampering detection device 1 accordingto first embodiment will be described with reference to FIG. 1. Thetampering detection device 1 includes a control part 101, a memory 102,an input part 11, a division part 12, a selection part 13, a generationpart 14, a verification part 15, an output part 16 and a parameterstorage 19. The tampering detection device 1 is a specialized deviceconfigured by installing a special program in a known or dedicatedcomputer including a CPU (Central Processing Unit) and a RAM (RandomAccess Memory) among other components, for example. The tamperingdetection device 1 executes processes under the control of the controlpart 101. Data input in the tampering detection device 1 and dataobtained as a result of the execution of the processes are stored in thememory 102 and the data stored in the memory 102 is retrieved and usedin other processes as needed. The parameter storage 19 may be a mainmemory such as a RAM (Random Access Memory), an auxiliary storageconfigured of a hard disk or a semiconductor memory such as an opticaldisc or flash memory, middleware such as a relational database or a keyvalue store, for example.

<Checksum Generation Process>

An exemplary operation of a checksum generation process executed by thetampering detection device 1 of this embodiment will be described indetail in the order of procedure with reference to FIG. 2. In thefollowing description, N and q are integers greater than or equal to 2,ρ is a minimum integer greater than or equal to N/q and R represents aring.

Parameters α_(ijk) for uniformly mapping from two elements of a ringR^(q) to one element of the ring R^(q) (where i=0, . . . , q−1; j=0, . .. , q−1; and k=0, . . . , q−1) is stored beforehand in the parameterstorage 19. The parameter α_(ijk) can be obtained by determining a ringR and the degree q. While there can be a plurality of parametersα_(ijk), it is desirable to choose it parameters α_(ijk) that include q³values including the most 0s. For example, efficient tampering detectioncan be achieved by choosing such parameters α_(ijk) that R is a fieldand R^(q) is an expansion field of the field R.

N values a₀, . . . , a_(N−1)∈R are input into the input part 11 of thetampering detection device 1 (step S11 a). The input values a₀, . . . ,a_(N−1) are input into the division part 12. While the values a₀, . . ., a_(N−1) may be any information, the values a₀, . . . , a_(N−1) may beciphertext of homomorphic encryption or shares of secret sharing.Homomorphic encryption is an encryption method that has homomorphism andenables calculation of the sum or product of original plain text fromciphertext without decryption. An example of homomorphic encryption isElGamal cryptosystem. Details of the ElGamal cryptosystem are describedin documents such as ‘T. ElGamal, “A public key cryptosystem andsignature scheme based on discrete logarithms”, IEEE Transactions onInformation Theory, vol. 31, no. 4, pp. 469-472, 1985 (Referenceliterature 1)’. Secret sharing is a technique by which data istransformed into multiple shares so that the original data can bereconstructed by using a certain number of shares or more but none ofthe original data can be reconstructed by using any number of sharesless than the certain number. One example is Shamir's secret sharing.Details of Shamir's secret sharing are described in documents such as‘A. Shamir, “How to share a secret”, Communications of the ACM, vol. 22,issue 11, pp. 612-613, 1979 (Reference literature 2)’.

The division part 12 divides the N values a₀, . . . , a_(N−1) into setsof q values, starting from the first value, to generate p value vectorsA₀, . . . , A_(ρ−1) (step S12 a). The generated value vectors A₀, . . ., A_(ρ−1) are input into the generation part 14. If the number ofelements of the last value vector A_(ρ−1) is not q as a result of thedivision, the value vector is padded with an arbitrary value so that thenumber of elements becomes q. For example, if the last vector is paddedwith 0 and N=11 and q=2, then a₀, . . . , a₁₀ may be divided as A₀:=(a₀,a₁), A₁:=(a₂, a₃), A₂:=(a₄, a₅), . . . , A₅:=(a₁₀, 0).

The selection part 13 selects a random number r∈R^(q) (step S13). Theselected random number r is input into the generation part 14. Theselection part 13 may select one random number r at random at a time ormay select a random number r from among a plurality of values generatedand stored in the memory 102 beforehand in accordance with a rule.Furthermore, a random number may be a pseudorandom number generated fromany encryption method or a hash function, instead of a true randomnumber.

The generation part 14 uses the value vectors A₀, . . . , A_(ρ−1) andthe random number r to generate a checksum c (step S14). The generatedchecksum c and the random number r are input into the output part 16.Specifically, the generation part 14 calculates the checksum c inaccordance with Formula 4 given below.

$\begin{matrix}{c:={\sum\limits_{0 \leq i < \rho}{A_{i}r^{i + 1}}}} & \lbrack {{Formula}\mspace{14mu} 4} \rbrack\end{matrix}$

Here the multiplication of the vectors is performed by using a functionf defined by Formulas 5.

$\begin{matrix}{{{f( {\overset{arrow}{x},\overset{arrow}{y}} )}:={f_{0}( {\overset{arrow}{x},\overset{arrow}{y}} )}},\ldots\mspace{14mu},{f_{q - 1}( {\overset{arrow}{x},\overset{arrow}{y}} )}} & \lbrack {{Formula}\mspace{14mu} 5} \rbrack \\{{f_{i}( {\overset{arrow}{x},\overset{arrow}{y}} )}:={\sum\limits_{j,{k < q}}{\alpha_{i,j,k}x_{j}y_{k}}}} & \;\end{matrix}$

The output part 16 outputs the checksum c and the random number r (stepS16 a).

<Checksum Verification Process>

An exemplary operation of a checksum verification process executed bythe tampering detection device 1 of this embodiment will be described indetail in the order of procedure with reference to FIG. 3.

N values a₀, . . . , a_(N−1)∈R, a random number r∈R^(q) and a checksum care input in the input part 11 of the tampering detection device 1 (stepS1lb). The input values a₀, . . . , a_(N−1) are input into the divisionpart 12. The input random number r and checksum c are input into theverification part 15.

The division part 12 divides the values a₀, . . . , a_(N−1) into sets ofq values, starting from the first value, to generate value vectors A₀, .. . , A_(ρ−1) (step S12 b). The method for the division is the same asthe processing by the division part 12 in the checksum generationprocess. The processing at step S12 b can be omitted by configuring tostore the value vectors A₀, . . . , A_(ρ−1) generated in the checksumgeneration process.

The verification part 15 uses the value vectors A₀, . . . , A_(ρ−1) andthe checksum c to generate a verification result indicating whether ornot any of the values a₀, . . . , a_(N−1) have been tampered with (stepS15). The verification result is input into the output part 16.

Specifically, the verification part 15 evaluates Formula 6 given below.If Formula 6 yields 0, the verification part 15 determines that none ofthe values a₀, . . . , a_(N−1) has been tampered with. If Formula 6yields a value other than 0, the verification part 15 determines that atleast one of the values a₀, . . . , a_(N−1) has been tampered with.

$\begin{matrix}{{\sum\limits_{0 \leq i < \rho}{A_{i}r^{i + 1}}} - c} & \lbrack {{Formula}\mspace{14mu} 6} \rbrack\end{matrix}$

Here the multiplication of the vectors is performed by using thefunction f defined by Formulas 5 as in the checksum generation process.

The output part 16 outputs the verification result (step S16 b).

<Effect>

The checksum technique described in Non-patent literature 1 provides aprobability of successful tampering of N/p at best, where N is thenumber of pieces of data for which a checksum is generated and p is thenumber of elements of a ring R. Assuming that the ring R is fixed andp=2, for example, the tampering detection has little effect.

The checksum technique in the first embodiment can achieve a lowprobability of successful tampering by calculation using value vectorsA₀, . . . , A_(ρ−1)∈R^(q) as a unit. For example, if the ring R is aprime filed, i.e. Z/pZ, where Z is an integer ring, p is a prime numberand q is an integer greater than or equal to 2, a probability ofsuccessful tampering as low as approximately N/p^(q) can be achieved.Therefore an arbitrary low probability of successful tampering can beachieved by using a degree of field extension q which can be set to anarbitrary value.

[Second Embodiment]

A second embodiment of the present invention is an embodiment in whichthe present invention is applied to a checksum that can achieve a lowerprobability of successful tampering than the probability that can beachieved by the checksum described in Non-patent literature 1.

<Configuration>

An exemplary configuration of a tampering detection device 2 of secondembodiment will be described with reference to FIG. 1. The configurationof the tampering detection device 2 of the second embodiment is similarto the configuration of the tampering detection device 1 of the firstembodiment with the difference being processes performed by a selectionpart and a generation part. The tampering detection device 2 includes acontrol part 101, a memory 102, an input part 11, a division part 12, aselection part 23, a generation part 24, a verification part 25, anoutput part 16 and a parameter storage 19. The tampering detectiondevice 2 is a specialized device configured by installing a specialprogram in a known or dedicated computer including a CPU (CentralProcessing Unit) and a RAM (Random Access Memory) among othercomponents, for example. The tampering detection device 2 executesprocesses under the control of the control part 101. Data input in thetampering detection device 2 and data obtained as a result of theexecution of the processes are stored in the memory 102 and the datastored in the memory 102 are retrieved and used in other processes asneeded.

<Checksum Generation Process>

An exemplary operation of a checksum generation process executed by thetampering detection device 2 of this embodiment will be described indetail in the order of procedure with reference to FIG. 2. In thefollowing description, M, N, and q are integers greater than or equal to2, M<N, p is a minimum integer greater than or equal to N/q, and Rrepresents a ring.

The process from step S11 a through S12 a is the same as that in thefirst embodiment and therefore the description of steps S11 a throughS12 a will be omitted here.

The selection part 23 of this embodiment selects M random numbers r₀, .. . , r_(M−1)∈R^(q) (step S23). The selected random numbers r₀, . . . ,r_(M−1) are input into the generation part 24. The selection part 23 mayselect the M random numbers r₀, . . . , r_(M−1) at random at a time ormay select the M random numbers r₀, . . . , r_(M−1) from among aplurality of values stored in the memory 102 beforehand in accordancewith a predetermined rule.

The generation part 24 of this embodiment uses value vectors A₀, . . . ,A_(ρ−1) and the random numbers r₀, . . . , r_(M−1) to generate achecksum c (step S24). The generated check sum c and the random numbersr₀, . . . , r_(M−1) are input into the output part 16. Specifically, thegeneration part 24 calculates the checksum c according to Formula 7given below.

$\begin{matrix}{c:={\sum\limits_{i < \rho}{A_{i}{\prod\limits_{j < M}\; r_{j}^{d{({i,j})}}}}}} & \lbrack {{Formula}\mspace{14mu} 7} \rbrack\end{matrix}$

Here the multiplication of the vectors is performed by using a functionf defined by Formulas 5 as in the checksum generation process.

In Formula 7, the function d(i, j) is a function that determines theorder of the j-th random number r_(j) for the i-th value a_(i). It isassumed here that d(i, j)≠d(i′, j) is satisfied with any j (where j<M),where i and j′ are natural numbers and i≠j′. In other words,combinations of the orders of the random numbers r₀, . . . , r_(M−1)need to be combinations that do not overlap each other for each A_(i).

For example, if ρ=3 and M=2, then c=A₀r₀+A₁r₁+A₂r₀r₁ may be calculated.If ρ=4 and M=2, then c=A₀r₀+A₁r₁+A₂r₀r₁+A₃r₀ ²r₁ may be calculated orc=A₀r₀ ²r₁+A₁r₀r₁+A₂r₁+A₃r₀ may be calculated.

While M may be any value that is greater than or equal to 2 and lessthan ρ, the highest efficiency is provided by choosing a minimum integerthat exceeds log₂ρ as M because all of the orders of random numbers r₀,. . . , r_(M−1) can be less than or equal to 1. For example, if ρ=7 andM=3, then c=A₀r₀+A₁r₁+A₂r₀r₁+A₃r₂+A₄r₀r₂+A₅r₁r₂+A₆r₀r₁r₂ can becalculated and the orders of all of the random numbers can be less thanor equal to 1.

The output part 16 outputs the checksum c and the random numbers r₀, . .. , r_(M−1) (step S16 a).

<Checksum Verification Process>

An exemplary operation of a checksum verification process executed bythe tampering detection device 2 of this embodiment will be described indetail in the order of procedure with reference to FIG. 3.

The process from step S11 b through step S12 b is the same as that inthe first embodiment and therefore the description of the steps S11 athrough S12 b will be omitted here.

The verification part 25 uses the value vectors A₀, . . . , A_(ρ−1) therandom numbers r₀, . . . , r_(M−1) and the checksum c to generate averification result indicating whether or not any of the values a₀, . .. , a_(N−1) has been tampered (step S25). The verification result isinput into the output part 16.

Specifically, the verification part 25 evaluates Formula 8 given below.If Formula 8 is true, the verification part 25 determines that none ofthe values a₀, . . . , a_(N−1) has been tampered with. If Formula 8 isfalse, the verification part 25 determines that at least one of thevalues a₀, . . . , a_(N−1) has been tampered with.

$\begin{matrix}{c = {\sum\limits_{i < \rho}{A_{i}{\prod\limits_{j < M}\; r_{j}^{d{({i,j})}}}}}} & \lbrack {{Formula}\mspace{14mu} 8} \rbrack\end{matrix}$

Here the multiplication of the vectors is performed by using a functionf defined by Formulas 5 as in the checksum generation process.

The function d(i,j) in Formula 8 is the same as the function d(i,j) inFormula 7.

The output part 16 outputs the result of the verification (step S16 b).

<Effect>

If the checksum in the second embodiment is calculated using values a₀,. . . , a_(N−1)∈R as a unit, the probability of successful tampering islogN/p at best, where N is the number of pieces of data for which thechecksum is generated and p is the number of elements of the ring R.Although this probability is lower than the probability achieved by thechecksum technique described in Non-patent literature 1, the tamperingdetection has little effect if the ring R is fixed and p=2, for example.

By calculating the checksum in the second embodiment using value vectorsA₀, . . . , A_(ρ−1)∈R^(q) as a unit, a low probability of successfultampering can be achieved. For example, a probability of successfultampering of approximately logN/p^(q) can be achieved, where Z is aninteger ring, p is a prime number, q is an integer greater than or equalto 2, and the ring R is a prime field, Z/pZ. Therefore, an arbitrary lowprobability of successful tampering can be achieved by using a degree offield extension q which can be set to an arbitrary value.

[Example Application]

The tampering detection technique of the present invention can find awide variety of applications. For example, the technique can be usedwhen ciphertext generated by homomorphic encryption or share datagenerated by secret sharing is entrusted to a server managed by a thirdparty. In such a case, there are risks such as the risk of the databeing tampered with by a malicious attacker accessing the server, therisk of the entrusted data being maliciously tampered with by the serveritself, and the risk of data being tampered with by malware infectingthe server. Generating and adding a checksum of the present invention todata to be entrusted enables the server to perform data processing onthe concealed data while concealing the data and prevent data tampering.

[Program and Recording Medium]

It would be understood that the present invention is not limited to theembodiments described above and modifications can be made withoutdeparting from the spirit of the present invention. Furthermore, theprocesses described in the embodiments may be performed not only in timesequence as is written or may be performed in parallel with one anotheror individually, depending on the throughput of the apparatuses thatperform the processes or requirements.

If processing functions of any of the devices described in theembodiments are implemented by a computer, the processing of thefunctions that the devices should include is described in a programs.The program is executed on the computer to implement the processingfunctions of the devices on the computer.

The programs describing the processing can be recorded on acomputer-readable recording medium. The computer-readable recordingmedium may be any recording medium such as a magnetic recording device,an optical disc, a magneto-optical recording medium, and a semiconductormemory.

The program is distributed by selling, transferring, or lending aportable recording medium on which the program is recorded, such as aDVD or a CD-ROM. The program may be stored on a storage device of aserver computer and transferred from the server computer to othercomputers over a network, thereby distributing the program.

A computer that executes the program first stores the program recordedon a portable recording medium or transferred from a server computerinto a storage device of the computer. When the computer executes theprocesses, the computer reads the program stored on the recording mediumof the computer and executes the processes according to the readprogram. In another mode of execution of the program, the computer mayread the program directly from a portable recording medium and executethe processes according to the program or may execute the processesaccording to the program each time the program is transferred from theserver computer to the computer. Alternatively, the processes may beexecuted using a so-called ASP (Application Service Provider) service inwhich the program is not transferred from a server computer to thecomputer but process functions are implemented by instructions toexecute the program and acquisition of the results of the execution.Note that the program in this mode encompasses information that isprovided for processing by an electronic computer and is equivalent tothe program (such as data that is not direct commands to a computer buthas the nature that defines processing of the computer).

While the inventive device is configured by causing a computer toexecute a predetermined program in the embodiments described above, atleast some of the processes may be implemented by hardware.

What is claimed is:
 1. A tampering detection device comprising:circuitry configured to store parameters α_(ijk) for uniformly mappingfrom two elements of a ring R^(q) to one element of the ring R^(q),where i=0, . . . , q−1, j=0, . . . , q−1, and k=0, . . . , q−1; divide Nvalues a₀, . . . , a_(N−1) into sets of q values, starting from thefirst value, to generate value vectors A₀, . . . ,A_(ρ−1); select arandom number r from the ring R^(q); generate a checksum c by performingaddition and multiplication using the value vectors A₀, . . . , A_(ρ−1)by calculating $\begin{matrix}{{c:={\sum\limits_{0 \leq i < \rho}{A_{i}r^{i + 1}}}},} & \lbrack {{Formula}\mspace{14mu} 10} \rbrack\end{matrix}$  where vector multiplication is a function f using theparameters α_(ijk) defined by $\begin{matrix}{{{f( {\overset{arrow}{x},\overset{arrow}{y}} )}:={\sum\limits_{j,{k < q}}{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{{\sum\limits_{j,{k < q}}{\alpha_{{q - 1},j,k}x_{j}y_{k}}};}} & \lbrack {{Formula}\mspace{14mu} 16} \rbrack\end{matrix}$ determine that none of the values a₀, . . . , a_(N−1) hasbeen tampered with if the formula given below yields 0, and determinethat at least one of the values a₀, . . . , a_(N−1) has been tamperedwith if the formula given below yields a value other than 0$\begin{matrix}{{{\sum\limits_{0 \leq i < \rho}{A_{i}r^{i + 1}}} - c},} & \lbrack {{Formula}\mspace{14mu} 11} \rbrack\end{matrix}$  where vector multiplication is the function f; and whereN and q are integers greater than or equal to 2 and ρ is a minimuminteger greater than or equal to N/q.
 2. A tampering detection devicecomprising: circuitry configured to store parameters α_(ijk) foruniformly mapping from two elements of a ring R^(q) to one element ofthe ring R^(q), where i=0, . . . , q−1, j=0, . . . , q−1 and k=0, . . ., q−1; divide N values a₀, . . . , a_(N−1) into sets of q values,starting from the first value, to generate value vectors A₀, . . . ,A_(ρ−1); select M random numbers r₀, . . . , r_(M−1) from the ringR^(q); generate a checksum c by performing addition and multiplicationusing the value vectors A₀, . . . , A_(ρ−1) by calculating$\begin{matrix}{{c:={\sum\limits_{i < \rho}{A_{i}{\prod\limits_{j < M}\; r_{j}^{d{({i,j})}}}}}},} & \lbrack {{Formula}\mspace{14mu} 12} \rbrack\end{matrix}$  where vector multiplication is a function f using theparameters α_(ijk) defined by $\begin{matrix}{{{f( {\overset{arrow}{x},\overset{arrow}{y}} )}:={\sum\limits_{j,{k < q}}{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{{\sum\limits_{j,{k < q}}{\alpha_{{q - 1},j,k}x_{j}y_{k}}};}} & \lbrack {{Formula}\mspace{14mu} 17} \rbrack\end{matrix}$ determine that none of the values a₀, . . . , a_(N−1) hasbeen tampered with if the formula given below is true, and determinethat at least one of the values a₀, . . . , a_(N−1) has been tamperedwith if the formula given below is false $\begin{matrix}{{c = {\sum\limits_{i < \rho}{A_{i}{\prod\limits_{j < M}\; r_{j}^{d{({i,j})}}}}}},} & \lbrack {{Formula}\mspace{14mu} 13} \rbrack\end{matrix}$  where vector multiplication is the function f; and whereN and q are integers greater than or equal to 2, ρ is a minimum integergreater than or equal to N/q, and M is an integer greater than or equalto 2, M<N, i and i′ are natural numbers, i≠i′, and j<M, with any of j isa function such that d(i, j)≠d(i′, j).
 3. A method for detectingtampering implemented by a tampering detection device, the methodcomprising: by circuitry of the tampering detection device: dividing Nvalues a₀, . . . , a_(N−1) into sets of q values, starting from thefirst value, to generate value vectors A₀, . . . , A_(ρ−1); selecting arandom number r from the ring R^(q); generating a checksum c byperforming addition and multiplication using the value vectors A₀, . . ., A_(ρ−1) by calculating $\begin{matrix}{{c:={\sum\limits_{0 \leq i < \rho}\;{A_{i}r^{i + 1}}}},} & \lbrack {{Formula}\mspace{14mu} 18} \rbrack\end{matrix}$  where vector multiplication is a function f using theparameters α_(ijk) defined by $\begin{matrix}{{{f( {\overset{->}{x},\overset{->}{y}} )}:={\sum\limits_{j,{k < q}}\;{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{{\sum\limits_{j,{k < q}}\;{\alpha_{{q - 1},j,k}x_{j}y_{k}}};}} & \lbrack {{Formula}\mspace{14mu} 14} \rbrack\end{matrix}$ determining that none of the values an, a₀, . . . ,a_(N−1) has been tampered with if the formula given below yields 0, anddetermining that at least one of the values a₀, . . . , a_(N−1) has beentampered with if the formula given below yields a value other than 0$\begin{matrix}{{{\sum\limits_{0 \leq i < \rho}\;{A_{i}r^{i + 1}}} - c},} & \lbrack {{Formula}\mspace{14mu} 19} \rbrack\end{matrix}$  where vector multiplication is the function f; and whereN and q are integers greater than or equal to 2, ρ is a minimum integergreater than or equal to N/q, α_(jjk) are parameters for uniformlymapping from two elements of a ring R^(q) to one element of the ringR^(q), i=0, . . . , q−1, j=0, . . . , q−1, and k=0, . . . , q−1.
 4. Anon-transitory computer readable medium including computer executableinstructions that make a tampering detection device perform a method,the method comprising: dividing N values a₀, . . . , a_(N−1) into setsof q values, starting from the first value, to generate value vectorsA₀, . . . , A_(ρ−1;) selecting a random number r from the ring R^(q);generating a checksum c by performing addition and multiplication usingthe value vectors A₀, . . . , A_(ρ−1) by calculating $\begin{matrix}{{c:={\sum\limits_{0 \leq i < \rho}\;{A_{i}r^{i + 1}}}},} & \lbrack {{Formula}\mspace{14mu} 20} \rbrack\end{matrix}$  where vector multiplication is a function f usingparameters α_(ijk) defined by $\begin{matrix}{{{f( {\overset{->}{x},\overset{->}{y}} )}:={\sum\limits_{j,{k < q}}\;{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{{\sum\limits_{j,{k < q}}\;{\alpha_{{q - 1},j,k}x_{j}y_{k}}};}} & \lbrack {{Formula}\mspace{14mu} 15} \rbrack\end{matrix}$ determining that none of the values a₀, . . . , a_(N−)hasbeen tampered with if the formula given below yields 0, and determiningthat at least one of the values a₀, . . . , a_(N−1) has been tamperedwith if the formula given below yields a value other than 0$\begin{matrix}{{{\sum\limits_{0 \leq i < \rho}\;{A_{i}r^{i + 1}}} - c},} & \lbrack {{Formula}\mspace{14mu} 21} \rbrack\end{matrix}$  where vector multiplication is the function f; and whereN and q are integers greater than or equal to 2, ρ is a minimum integergreater than or equal to N/q, α_(ijk) are parameters for uniformlymapping from two elements of a ring R^(q) to one element of the ringR^(q), i=0, . . . , q−1, j=0, . . . , q−1, and k=0, . . . , q−1.
 5. Thetampering detection device according to claim 1, wherein the ring R isZ/pZ, where Z is an integer ring and p is a prime number.
 6. A methodfor detecting tampering implemented by a tampering detection device, themethod comprising: by circuitry of the tampering detection device:dividing N values a₀, . . . , a_(N−1) into sets of q values, startingfrom the first value, to generate value vectors A₀, . . . , A_(ρ−1);selecting M random numbers r₀, . . . , r_(M−1) from the ring R^(q);generating a checksum c including addition and multiplication using thevalue vectors A₀, . . . , A_(ρ−1) by calculating $\begin{matrix}{{c:={\sum\limits_{i < \rho}\;{A_{i}{\prod\limits_{j < M}^{\;}\; r_{j}^{d{({i,j})}}}}}},} & \lbrack {{Formula}\mspace{14mu} 22} \rbrack\end{matrix}$  where vector multiplication is a function f using theparameters 60 _(ijk) defined by $\begin{matrix}{{{f( {\overset{->}{x},\overset{->}{y}} )}:={\sum\limits_{j,{k < q}}\;{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{{\sum\limits_{j,{k < q}}\;{\alpha_{{q - 1},j,k}x_{j}y_{k}}};}} & \lbrack {{Formula}\mspace{14mu} 23} \rbrack\end{matrix}$ determining that none of the values a₀, . . . , a_(N−1)has been tampered with if the formula given below is true, anddetermining that at least one of the values a₀, . . . , a_(N−1) has beentampered with if the formula given below is false $\begin{matrix}{{c = {\sum\limits_{i < \rho}\;{A_{i}{\prod\limits_{j < M}^{\;}\; r_{j}^{d{({i,j})}}}}}},} & \lbrack {{Formula}\mspace{14mu} 24} \rbrack\end{matrix}$  where vector multiplication is the function f; and whereN and q are integers greater than or equal to 2, ρ is a minimum integergreater than or equal to N/q, M is an integer greater than or equal to2, M<N, i and i′ are natural numbers, i≠i′, and j<M, with any of j is afunction such that d(i, j)≠d(i′, j), α_(ijk) are parameters foruniformly mapping from two elements of a ring R^(q) to one element ofthe ring R^(q), i=0, . . . , q−1, j=0, . . . , q−1, and k=0, . . . ,q−1.
 7. A non-transitory computer readable medium including computerexecutable instructions that make a tampering detection device perform amethod, the method comprising: dividing N values a₀, . . . , a_(N−1)into sets of q values, starting from the first value, to generate valuevectors A₀, . . . , A_(ρ−); selecting M random numbers r₀, . . . ,r_(M−1) from the ring R^(q); generating a checksum c including additionand multiplication using the value vectors A₀, . . . , A_(ρ−1) bycalculating $\begin{matrix}{{c:={\sum\limits_{i < \rho}\;{A_{i}{\prod\limits_{j < M}^{\;}\; r_{j}^{d{({i,j})}}}}}},} & \lbrack {{Formula}\mspace{14mu} 25} \rbrack\end{matrix}$  where vector multiplication is a function f usingparameters α_(ijk) defined by $\begin{matrix}{{{f( {\overset{->}{x},\overset{->}{y}} )}:={\sum\limits_{j,{k < q}}\;{\alpha_{0,j,k}x_{j}y_{k}}}},\ldots\mspace{14mu},{{\sum\limits_{j,{k < q}}\;{\alpha_{{q - 1},j,k}x_{j}y_{k}}};}} & \lbrack {{Formula}\mspace{14mu} 26} \rbrack\end{matrix}$ determining that none of the values a₀, . . . , a_(N−1)has been tampered with if the formula given below is true, anddetermining that at least one of the values a₀, . . . , a_(N−1) has beentampered with if the formula given below is false $\begin{matrix}{{c = {\sum\limits_{i < \rho}\;{A_{i}{\prod\limits_{j < M}^{\;}\; r_{j}^{d{({i,j})}}}}}},} & \lbrack {{Formula}\mspace{14mu} 27} \rbrack\end{matrix}$  where vector multiplication is the function f; and whereN and q are integers greater than or equal to 2, ρ is a minimum integergreater than or equal to N/q, M is an integer greater than or equal to2, M<N, i and i′ are natural numbers, i≠i′, and j<M, with any of j is afunction such that d(i, j)≠d(i′, j), α_(ijk) are parameters foruniformly mapping from two elements of a ring R^(q) to one element ofthe ring R^(q), i=0, . . . , q−1, j=0, q−1, and k=0, . . . , q−1.